Malwarebytes detecting Trojan.agent in regedit.exe that nothing else detects

See below log. I just updated Malawarebytes on Vista64 and ran a quick scan
and it is detecting a Trojan in System32/regedit.exe that it never detected
before now. The thing is I can't even see that file if I unhide files in
explorer but if I run FreeCommander as admin I can see that file. I ran
Avast from Vista64 and no Trojan is detected, I boot to Windows7 and run
Kaspersky on the Vista64 system32 folder and no Trojan is found. If I scan
regedti.exe directly with Malwarebytes using FreeCommander it comes up
clean, if I scan it with Avast directly in FreeCommander it reports "Scan
was completed with Error! The system cannot find the file specified" but it
shows it scanned 1 file and it is clean.

Is this maybe part of a rootkit infection or is it just a false positive?
What has me concerned is that FreeCommander can see it but Explorer can't.
It is signed as a Microsoft file and what is strange is that before each
date field it has a ? mark. It is 131kb in size. Anyone know a good free
rootkit scanner for Vista64? I have a couple for XP but don't have one for
Vista64. I ran Cports and it is showing nothing unusual trying to connect
out. Really need to determine if this is a serious threat or not.

Malwarebytes' Anti-Malware 1.33
Database version: 1723
Windows 6.0.6001 Service Pack 1

2/3/2009 16:12:04
mbam-log-2009-02-03 (16-11-32).txt

Scan type: Quick Scan
Objects scanned: 45231
Time elapsed: 1 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken.

Bubble Butt wrote:
> See below log. I just updated Malawarebytes on Vista64 and ran a
> quick scan and it is detecting a Trojan in System32/regedit.exe that
> it never detected before now. The thing is I can't even see that file
> if I unhide files in explorer but if I run FreeCommander as admin I
> can see that file. I ran Avast from Vista64 and no Trojan is
> detected, I boot to Windows7 and run Kaspersky on the Vista64
> system32 folder and no Trojan is found. If I scan regedti.exe
> directly with Malwarebytes using FreeCommander it comes up clean, if
> I scan it with Avast directly in FreeCommander it reports "Scan was
> completed with Error! The system cannot find the file specified" but
> it shows it scanned 1 file and it is clean.
> No action taken.
[snip]

If you can, submit that file to virustotal.com and see what happens.
It may be a false positive.

"Buffalo" <Eric@nada.com.invalid> wrote in message
news:gmati4$4o9$1@news.motzarella.org...
> If you can, submit that file to virustotal.com and see what happens.
> It may be a false positive.
>
>


Here are the results. Looks like it is a false positive but if you have
Malwarebytes why are you not getting the same false positive? And why can I
see the regedit.exe file when I browse to upload the file with Firefox but
not in Windows Explorer?

http://www.virustotal.com/analisis/d...c7112940c0cbdb

I did install a tweak file some time back to put UAC in quiet mode, would
that alter regedit.exe maybe?

"Buffalo" <Eric@nada.com.invalid> wrote in message
news:gmati4$4o9$1@news.motzarella.org...
> If you can, submit that file to virustotal.com and see what happens.
> It may be a false positive.
>
>


update: just did a search on trojan.agent in regedit.exe and it looks like
it is indeed a false positive when detected on Vista64. Read bottom post in
this Malwarebytes forum thread. Looks like Malwarebytes just made me waste a
good hour of my time and get paranoid for no good reason. Probably next
Malwarebytes update will fix the issue. The thing is some people just let
these anti-malware apps quarantine the supposed infected file and if it is a
system file they can no longer boot into Windows and have no clue how to fix
it. I read That happened not too long ago with both AVG and one other AV
software but can't remember who's it was now.

http://www.malwarebytes.org/forums/l...php/t5386.html

From: "Bubble Butt" <bubblebutt@notforemail.invalid>

| See below log. I just updated Malawarebytes on Vista64 and ran a quick scan
| and it is detecting a Trojan in System32/regedit.exe that it never detected
| before now. The thing is I can't even see that file if I unhide files in
| explorer but if I run FreeCommander as admin I can see that file. I ran
| Avast from Vista64 and no Trojan is detected, I boot to Windows7 and run
| Kaspersky on the Vista64 system32 folder and no Trojan is found. If I scan
| regedti.exe directly with Malwarebytes using FreeCommander it comes up
| clean, if I scan it with Avast directly in FreeCommander it reports "Scan
| was completed with Error! The system cannot find the file specified" but it
| shows it scanned 1 file and it is clean.

< snip >

| Files Infected:
| C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken.

Please submit a sample of the above regedit.exe to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Bubble Butt wrote:

> ... And why can I see the regedit.exe file when I browse to upload the
> file with Firefox but not in Windows Explorer?

You probably have Windows Explorer still set to the stupid defaults of
"don't show hidden files" and "don't show common file extensions" and
other ridiculous stuff. Go to the View options and select real choices.

--
-bts
-Friends don't let friends drive Windows

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in message
news:gmb1oc$d2v$1@news.motzarella.org...
> You probably have Windows Explorer still set to the stupid defaults of
> "don't show hidden files" and "don't show common file extensions" and
> other ridiculous stuff. Go to the View options and select real choices.

I thought did. that already, must be some UAC thing. No matter as
FreeCommander gives me complete access when I run it as admin. Ever use
FreeCommander? I like it better than explorer by far.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:xpOdnaDwfJrPnBTUnZ2dnUVZ_rrinZ2d@giganews.com...
> When you get the report, please post back the exact results.

Already did that hours ago. It is clean and it is a false positive.

From: "Buffalo" <Eric@nada.com.invalid>



| Bubble Butt wrote:
>> See below log. I just updated Malawarebytes on Vista64 and ran a
>> quick scan and it is detecting a Trojan in System32/regedit.exe that
>> it never detected before now. The thing is I can't even see that file
>> if I unhide files in explorer but if I run FreeCommander as admin I
>> can see that file. I ran Avast from Vista64 and no Trojan is
>> detected, I boot to Windows7 and run Kaspersky on the Vista64
>> system32 folder and no Trojan is found. If I scan regedti.exe
>> directly with Malwarebytes using FreeCommander it comes up clean, if
>> I scan it with Avast directly in FreeCommander it reports "Scan was
>> completed with Error! The system cannot find the file specified" but
>> it shows it scanned 1 file and it is clean.
>> No action taken.
| [snip]

| If you can, submit that file to virustotal.com and see what happens.
| It may be a false positive.


Please drop me an email when you get a chnace.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp